India's approach to data governance, which neither favors excessive state intervention nor is exclusively laissez-faire, encourages innovation
Innovations in India’s digital public infrastructure ecosystem have not only enhanced basic societal functions, they have also provided a pathway to democratize data and return to the people control over their own data.
For many centuries, public and private services were based on people- and paper-based processes. These included the delivery of services and ensuring compliance with the prevailing laws and regulations. Digital infrastructure replaces people and paper with code, bringing greater efficiency. Operating around the clock at low cost, digital infrastructure can be scaled up to reach a large number of people, achieving in just a few years gains that would otherwise have taken several decades. Likewise, digital public infrastructure delivers society-wide services across the population, including to marginalized communities.
The advent of the digital age has also led to an explosion in the volume of data, its availability, and how it is processed. Globally, a handful of service providers such as Facebook, Google, and Apple control extremely large amounts of highly valuable consumer data that they aggregate and exploit for their gain. This asymmetric access to data makes it hard for people to leverage their personal data for their own benefit.
This is especially relevant because public digital infrastructure can greatly enhance data-driven access to finance. It is globally documented that, absent tangible collateral, a large majority of the adult population cannot borrow from the financial system. Information captured from people’s everyday online activities creates “information capital” that reduces transaction costs, information asymmetry between borrowers and lenders, and reliance on physical collateral. When individuals have access to and control over their data, they are able to generate information capital.
Many regulators have attempted to address the problem of private companies’ data hoarding by enacting policies to curb data misuse, but these policies have also prevented the utilization of data, especially for the benefit of the broader population.
However, within India’s digital financial architecture framework, privacy safeguards are part of the technical design of the digital public infrastructure, rather than externally imposed by law and regulatory policy. Data’s benefits are universally available without infringing on individual rights. This approach to data governance neither favors excessive state intervention nor is it exclusively laissez-faire. Such a combination of private and public features encourages better regulation and innovation.
Digital first
India’s digital public infrastructure has grown rapidly since 2009 for three main reasons. First, the strategic vision has been the design of the digital public infrastructure as rails, with each rail addressing a specific need. Second, technological innovation across several of these rails has created a powerful integrated stack of applications, often referred to as the India Stack, that can be scaled up to serve the diverse population—over a billion people in 29 states and 22 languages. Third, digital public infrastructure has been implemented across multiple sectors.
Unlike other countries, where the digital infrastructure was developed largely by private companies, India put together a unique model of digital public infrastructure, publicly designed and controlled but privately implemented.
This approach has enabled the public sector to move away from responsibility for end-to-end delivery—for example, in the payment, education, and health sectors. The rapid increase in digitalization across India has led to deeper penetration as well as harmonization of platforms across various government services. Now, in the context of public-private partnerships, the public sector focuses on the regulatory framework, while the private sector handles consumer interface and service delivery. The approach has also reduced inclusion gaps.
India’s digital public infrastructure, built within the regulatory system, has enabled its citizens to achieve access to the formal economy through a verifiable digital identity; participation in the nationwide marketplace through a fast payment system; and secure welfare gains in finance, health, and commerce through data empowerment and data sharing.
Verifiable identity: Verifiable identity, or an ID certifying that “I am who I am,” is a key element of any economy and its level of financial inclusion. In 2008, only 1 in 8 Indians had a verifiable identity. In 2009, India rolled out a verifiable ID, widely known as Aadhaar, as a part of its digital public infrastructure that eventually reached over a billion people, including those who could not read or write.
This digital ID boosted financial inclusion. In less than 10 years, the share of adults with a bank account rose from 25 percent to more than 80 percent. Given that financial inclusion goes hand in hand with economic development and GDP per capita, one rough estimate suggests that if India had relied solely on traditional growth processes, it would have taken nearly 50 years to achieve the same rise in inclusion.
A fast payment system: For consumers, a fast payment system—yet another piece of the digital public infrastructure—is a secure and more convenient channel for money transfer and bill payment. For businesses, it offers an efficient way to manage sales and inventory and reduce overhead. Government gets a leak-free channel for welfare and other payments to citizens, including hard-to-reach target groups.
Efficient payment systems reduce the need for a cash economy and in turn support higher economic growth. India’s fast-payment system, called the Unified Payments Interface (UPI) and run by the nonprofit National Payments Corporation of India, exemplifies how the regulator (for example, the central bank) and the regulated (for example, commercial banks) can together run a payment system as a voluntary digital public infrastructure that operates around the clock. UPI is interoperable, in that it allows online payment services, such as PhonePe, Paytm, and Google Pay, to connect to its service, and the cost of running the payments rail is borne by participating commercial banks.
This system offers all the network benefits of large technology systems, such as instant transfers and near-zero charges, without the monopolistic disadvantages. At the end of 2022, UPI was processing nearly 8 billion transactions a month, about 70 percent more than the previous year. In fact, digital commerce rails augmented by digital payment systems blunted the worst ravages of the country’s COVID-19 lockdowns.
Broad applicability: The pandemic has demonstrated the power of digital public infrastructure—beyond finance. Successful system-wide solutions include vaccine development and distribution that have saved lives, e-commerce rails that have protected jobs and livelihoods, and the delivery of education digitally, which has minimized the loss of schooling.
In the health care sector, for example, digital rails allow data sharing across the medical ecosystem so that hospitals, diagnostic laboratories, and research institutions alike can benefit from real-time data exchange—with patients’ consent and for their benefit. Readily available comprehensive patient records that include symptoms, medical histories, and other data points allow doctors to provide more accurate diagnosis and treatment.
In the skills sector, digital public rails offer trusted frameworks through which skill credentials can be exchanged and relied on anywhere and everywhere. In a world where people are increasingly mobile, the ability to certify their own skill credentials can result in significant empowerment.
In the education sector, digital rails complement existing practices and offer tools that enable teachers, learners, and educational institutions to achieve learning goals on a national scale. They facilitate new means of learning and evaluation that can be disseminated in a way that delivers personalized learning outcomes.
Data empowerment architecture
Digital infrastructures hold vast amounts of data. Even though laws restrict how much data can be collected, how it can be used, and how long it can be retained, consumers are often unable to access their data since it is stored in proprietary silos and in incompatible formats. Given the amount of data involved, as well as the need to keep it secure and transaction costs low, any system that restores control to consumers and businesses must be digital.
India’s Data Empowerment and Protection Architecture (DEPA) offers a techno-legal solution that allows individuals to operationalize their data rights through a consent-based data-sharing system. It provides a high level of security and has low transaction costs (at about $0.07 a data pull), which are borne by the consumers that seek the service. This architecture combines digital public infrastructure and private-market-led innovation. Data sharing takes place only with detailed consent that specifies which data are requested, how long they will be retained, and who will process them. The protocols also give people and businesses, or data subjects, the ability to revoke their consent, audit data-sharing transactions, and impose data security requirements on the data-sharing process.
Here’s how a consent-based data-sharing rail in the financial sector works in practice. The chart shows how digital public infrastructure allows the provision of credit, insurance, and wealth management services through authorized data sharing in a system that complies with well-established data privacy principles.
In this series of transactions, the consent manager is aware of the identity of both the data users or providers, but blind to the content of the data that they are transferring. Data users (providers), on the other hand, are aware of the content of the data but blind to the identity of the data provider (user). Through the consent manager, data flows are separated from consent flows, thereby ensuring the efficient transfer of data while respecting privacy concerns. For example, though a bank may in response to a request from a customer share data about that customer’s spending history for a credit application, it remains unaware of the purpose of the request and the identity of the entity receiving the data.
Since this system went live in India’s financial sector last year, some 1.1 billion individual accounts on the system can now reap benefits from the value of their data. Individual experiences show that the system has significantly reduced the time it takes to access credit—from months to days. For example, a small business that ran into severe liquidity difficulties when its expansion plans became impractical following the onset of the COVID-19 pandemic was able to raise financing and avoid bankruptcy thanks to its readily shareable financial data.
However, India’s journey has not been without challenges. Absent a national data protection law, the country’s data consent framework was developed under the regulatory supervision of the central bank, rather than a regulator specializing in data protection. India’s new draft law specifically references the technical and regulatory mandate of the consent manager, which is central to the DEPA framework, and when enacted will play a critical role in shaping DEPA’s regulatory and supervisory foundations.
Data governance
The takeaways from the Indian experience, and more generally the experience of many jurisdictions worldwide—Australia, Singapore, the United Kingdom, and the European Union, to name a few—have demonstrated the centrality of data to the delivery of fair and tangible outcomes to citizens. A key feature of digital public infrastructure is that it can be designed to enable individuals and businesses to use their data for their own benefit.
India’s experience suggests that adherence to the following would be valuable for other countries wishing to adopt a digital public infrastructure:
- Citizens should have the right to access and use their data, wherever it resides, for their own benefit.
- The rules for access and the use of data should be practical and clear and allow users to access and share their data with consent, at reasonable cost, and in a manner that respects their privacy and security.
- Such a system must be digital and the data protection principles integrated into the technology, given the large quantity of data involved and the need to keep it safe with low transaction costs.
In the recent past, senior policymakers from Australia, France, India, Japan, Rwanda, the Bank for International Settlements, and the European Commission have deliberated data empowerment approaches and affirmed the importance of reinforcing the twin policy goals of privacy and data-driven innovation through open, interoperable technical protocols. Data governance has also become an essential element of some new regional trade initiatives in the Asia and Pacific region. The Digital Economy Partnership Agreement between Chile, New Zealand, and Singapore and the Indo-Pacific Economic Framework for Prosperity are two recent examples.
Digital public infrastructure and data empowerment will be central themes of India’s G20 presidency in 2023. To make progress worldwide, a global governance mechanism is needed to support open technology standards, regulatory coordination across multiple stakeholders, and interoperable accreditation. Not least, international coordination is essential to satisfactory governance of cross-border transactions. It is too early to talk about common standards for data governance, but conversations in informal settings and at international institutions about the broad parameters for such standards have already begun.
Looking ahead, the global community needs to promote this conversation, encouraging like-minded countries to share their experiences and expand the frontier of best practices in data governance. The continued lack of institutions to represent global interests in the digital arena is a major gap in the current international architecture.
Opinions expressed in articles and other materials are those of the authors; they do not necessarily reflect IMF policy.